Keys are created with 0440 mode

Resolves rhbz#2008204

.gitignore

@@ -1 +1,3 @@
 /tang-7.tar.bz2
+/tang-8.tar.xz
+/tang-10.tar.xz

0001-Fix-issues-reported-by-shellcheck.patch

@@ -0,0 +1,155 @@
+From 0b0b1ef7244433cde737cd65d07930efd9667ed1 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 20 May 2021 10:21:21 -0300
+Subject: [PATCH 1/2] Fix issues reported by shellcheck
+
+Additionally, improve testing of these scripts.
+---
+ src/tang-show-keys    |  5 ++---
+ src/tangd-keygen      | 17 ++++++++++-------
+ src/tangd-rotate-keys |  6 +++---
+ tests/adv             | 20 ++++++++++++++++++++
+ tests/helpers         | 15 +++++++++++++++
+ 5 files changed, 50 insertions(+), 13 deletions(-)
+
+diff --git a/src/tang-show-keys b/src/tang-show-keys
+index 689e4df..0c33c3a 100755
+--- a/src/tang-show-keys
++++ b/src/tang-show-keys
+@@ -27,10 +27,9 @@ fi
+ 
+ port=${1-80}
+ 
+-adv=$(curl -sSf localhost:$port/adv)
++adv=$(curl -sSf "localhost:$port/adv")
+ 
+ THP_DEFAULT_HASH=S256    # SHA-256.
+-echo $adv \
+-    | jose fmt -j- -g payload -y -o- \
++jose fmt --json "${adv}" -g payload -y -o- \
+     | jose jwk use -i- -r -u verify -o- \
+     | jose jwk thp -i- -a "${THP_DEFAULT_HASH}"
+diff --git a/src/tangd-keygen b/src/tangd-keygen
+index 7a9adaf..f37121f 100755
+--- a/src/tangd-keygen
++++ b/src/tangd-keygen
+@@ -18,20 +18,23 @@
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #
+ 
+-trap 'exit' ERR
++set -e
+ 
+-if [ $# -ne 1 -a $# -ne 3 ] || [ ! -d "$1" ]; then
++usage() {
+     echo "Usage: $0 <jwkdir> [<sig> <exc>]" >&2
+     exit 1
+-fi
++}
++
++[ $# -ne 1 ] && [ $# -ne 3 ] && usage
++[ -d "$1" ] || usage
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
+ THP_DEFAULT_HASH=S256     # SHA-256.
+-jwe=`jose jwk gen -i '{"alg":"ES512"}'`
++jwe=$(jose jwk gen -i '{"alg":"ES512"}')
+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+-echo "$jwe" > $1/$sig.jwk
++echo "$jwe" > "$1/$sig.jwk"
+ 
+-jwe=`jose jwk gen -i '{"alg":"ECMR"}'`
++jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
+ [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+-echo "$jwe" > $1/$exc.jwk
++echo "$jwe" > "$1/$exc.jwk"
+diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys
+index 9d38bb5..a095a91 100755
+--- a/src/tangd-rotate-keys
++++ b/src/tangd-rotate-keys
+@@ -21,7 +21,7 @@
+ SUMMARY="Perform rotation of tang keys"
+ 
+ usage() {
+-    local _ret="${1:-1}"
++    _ret="${1:-1}"
+     exec >&2
+     echo "Usage: ${0} [-h] [-v] -d <KEYDIR>"
+     echo
+@@ -37,8 +37,8 @@ usage() {
+ }
+ 
+ log() {
+-    local _msg="${1}"
+-    local _verbose="${2:-}"
++    _msg="${1}"
++    _verbose="${2:-}"
+     [ -z "${_verbose}" ] && return 0
+     echo "${_msg}" >&2
+ }
+diff --git a/tests/adv b/tests/adv
+index 490d4d1..4c8bc97 100755
+--- a/tests/adv
++++ b/tests/adv
+@@ -93,6 +93,9 @@ fetch /adv
+ # Lets's now test with multiple pairs of keys.
+ for i in 1 2 3 4 5 6 7 8 9; do
+     tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
++    # Make sure the requested keys exist and are valid.
++    validate_sig "${TMP}/db/other-sig-${i}.jwk"
++    validate_exc "${TMP}/db/other-exc-${i}.jwk"
+ done
+ 
+ # Verify the advertisement is correct.
+@@ -104,3 +107,20 @@ for jwk in "${TMP}"/db/other-sig-*.jwk; do
+         fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
+     done
+ done
++
++# Now let's test keys rotation.
++tangd-rotate-keys -d "${TMP}/db"
++for i in 1 2 3 4 5 6 7 8 9; do
++    # Make sure keys were excluded from advertisement.
++    validate_sig "${TMP}/db/.other-sig-${i}.jwk"
++    validate_exc "${TMP}/db/.other-exc-${i}.jwk"
++done
++
++# And test also that we have valid keys after rotation.
++thp=
++for jwk in "${TMP}"/db/*.jwk; do
++    validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
++                                    -i "${jwk}")"
++done
++[ -z "${thp}" ] && die "There should be valid keys after rotation"
++test "$(tang-show-keys $PORT)" = "${thp}"
+diff --git a/tests/helpers b/tests/helpers
+index af122ab..7ce54d7 100755
+--- a/tests/helpers
++++ b/tests/helpers
+@@ -56,7 +56,22 @@ validate() {
+     fi
+ }
+ 
++validate_sig() {
++    jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
++        --use verify 2>/dev/null
++}
++
++validate_exc() {
++    jose fmt --json "${1}" --output=- | jose jwk use --input=- --required \
++        --use deriveKey 2>/dev/null
++}
++
+ sanity_check() {
+     # Skip test if socat is not available.
+     [ -n "${SOCAT}" ] || exit 77
+ }
++
++die() {
++    echo "${1}" >&2
++    exit 1
++}
+-- 
+2.31.1
+

0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch

@@ -0,0 +1,29 @@
+From af3b3835bcdb7e2d7a4f14e077fecb5e472f11ba Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 20 May 2021 10:31:25 -0300
+Subject: [PATCH 2/2] Fix possible NULL pointer dereference in find_by_thp()
+
+jwk_thumbprint() might return NULL, so let's make sure we handle that
+case.
+
+Issue pointed out by gcc static analyzer.
+---
+ src/keys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/keys.c b/src/keys.c
+index 5a8c1ac..55d0cff 100644
+--- a/src/keys.c
++++ b/src/keys.c
+@@ -263,7 +263,7 @@ find_by_thp(struct tang_keys_info* tki, const char* target)
+     json_array_foreach(keys, idx, jwk) {
+         for (int i = 0; hashes[i]; i++) {
+             __attribute__ ((__cleanup__(cleanup_str))) char* thumbprint = jwk_thumbprint(jwk, hashes[i]);
+-            if (strcmp(thumbprint, target) != 0) {
++            if (!thumbprint || strcmp(thumbprint, target) != 0) {
+                 continue;
+             }
+ 
+-- 
+2.31.1
+

0003-keys-make-sure-keys-are-created-with-0440-mode.patch

@@ -0,0 +1,207 @@
+From b3d12b6a8f0ad7d56a584c1962e92f69b289a2a2 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 27 Sep 2021 15:19:42 -0300
+Subject: [PATCH 3/3] keys: make sure keys are created with 0440 mode
+
+There is no need for them to be readable by other than the owner/group.
+Helpers (tangd-keygen and tangd-rotate-keys) also updated.
+---
+ src/keys.c            |  7 ++++++
+ src/tangd-keygen      |  3 +++
+ src/tangd-rotate-keys |  1 +
+ tests/adv             | 11 +++++++++
+ tests/helpers         |  5 ++++
+ tests/rec             |  3 +++
+ tests/test-keys.c.in  | 54 +++++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 84 insertions(+)
+
+diff --git a/src/keys.c b/src/keys.c
+index 55d0cff..a433f9c 100644
+--- a/src/keys.c
++++ b/src/keys.c
+@@ -17,6 +17,7 @@
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include <sys/stat.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <dirent.h>
+@@ -337,6 +338,12 @@ create_new_keys(const char* jwkdir)
+             fprintf(stderr, "Error saving JWK to file (%s)\n", path);
+             return 0;
+         }
++
++        /* Set 0440 permission for the new key. */
++        if (chmod(path, S_IRUSR | S_IRGRP) == -1) {
++            fprintf(stderr, "Unable to set permissions for JWK file (%s)\n", path);
++            return 0;
++        }
+     }
+     return 1;
+ }
+diff --git a/src/tangd-keygen b/src/tangd-keygen
+index f37121f..ed51124 100755
+--- a/src/tangd-keygen
++++ b/src/tangd-keygen
+@@ -34,7 +34,10 @@ THP_DEFAULT_HASH=S256     # SHA-256.
+ jwe=$(jose jwk gen -i '{"alg":"ES512"}')
+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+ echo "$jwe" > "$1/$sig.jwk"
++chmod 0440 "$1/$sig.jwk"
++
+ 
+ jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
+ [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+ echo "$jwe" > "$1/$exc.jwk"
++chmod 0440 "$1/$exc.jwk"
+diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys
+index a095a91..8649652 100755
+--- a/src/tangd-rotate-keys
++++ b/src/tangd-rotate-keys
+@@ -78,6 +78,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
+         thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
+                                            -a "${DEFAULT_THP_HASH}")"
+         echo "${jwe}" > "${thp}.jwk"
++        chmod 0440 "${thp}.jwk"
+         log "Created new key ${thp}.jwk" "${VERBOSE}"
+     done
+ cd - >/dev/null
+diff --git a/tests/adv b/tests/adv
+index 4c8bc97..1fde37e 100755
+--- a/tests/adv
++++ b/tests/adv
+@@ -27,6 +27,10 @@ export TMP=`mktemp -d`
+ mkdir -p $TMP/db
+ 
+ tangd-keygen $TMP/db sig exc
++# Make sure keys generated by tangd-keygen have proper permissions.
++valid_key_perm "${TMP}/db/sig.jwk"
++valid_key_perm "${TMP}/db/exc.jwk"
++
+ jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
+ jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
+ 
+@@ -96,6 +100,10 @@ for i in 1 2 3 4 5 6 7 8 9; do
+     # Make sure the requested keys exist and are valid.
+     validate_sig "${TMP}/db/other-sig-${i}.jwk"
+     validate_exc "${TMP}/db/other-exc-${i}.jwk"
++
++    # Make sure keys generated by tangd-keygen have proper permissions.
++    valid_key_perm "${TMP}/db/other-sig-${i}.jwk"
++    valid_key_perm "${TMP}/db/other-exc-${i}.jwk"
+ done
+ 
+ # Verify the advertisement is correct.
+@@ -121,6 +129,9 @@ thp=
+ for jwk in "${TMP}"/db/*.jwk; do
+     validate_sig "${jwk}" && thp="$(jose jwk thp -a "${THP_DEFAULT_HASH}" \
+                                     -i "${jwk}")"
++
++    # Make sure keys generated by tangd-rotate-keys have proper permissions.
++    valid_key_perm "${jwk}"
+ done
+ [ -z "${thp}" ] && die "There should be valid keys after rotation"
+ test "$(tang-show-keys $PORT)" = "${thp}"
+diff --git a/tests/helpers b/tests/helpers
+index 7ce54d7..8b789fb 100755
+--- a/tests/helpers
++++ b/tests/helpers
+@@ -75,3 +75,8 @@ die() {
+     echo "${1}" >&2
+     exit 1
+ }
++
++valid_key_perm() {
++    _perm="$(stat -c %a "${1}")"
++    [ "${_perm}" = "440" ]
++}
+diff --git a/tests/rec b/tests/rec
+index af0d075..7fba6a9 100755
+--- a/tests/rec
++++ b/tests/rec
+@@ -28,6 +28,9 @@ mkdir -p $TMP/db
+ 
+ # Generate the server keys
+ tangd-keygen $TMP/db sig exc
++# Make sure keys generated by tangd-keygen have proper permissions.
++valid_key_perm "${TMP}/db/sig.jwk"
++valid_key_perm "${TMP}/db/exc.jwk"
+ 
+ # Generate the client keys
+ exc_kid=`jose jwk thp -i $TMP/db/exc.jwk`
+diff --git a/tests/test-keys.c.in b/tests/test-keys.c.in
+index 1f811f3..fca26c4 100644
+--- a/tests/test-keys.c.in
++++ b/tests/test-keys.c.in
+@@ -32,6 +32,56 @@ struct test_result_int {
+     int expected;
+ };
+ 
++static void
++verify_keys_permissions(const char* targetdir)
++{
++    struct stat st;
++    struct dirent* d;
++    DIR* dir = opendir(targetdir);
++    ASSERT(dir);
++    char filepath[PATH_MAX];
++    const char* pattern = ".jwk";
++    while ((d = readdir(dir)) != NULL) {
++        if (strcmp(d->d_name, ".") == 0 || strcmp(d->d_name, "..") == 0) {
++            continue;
++        }
++
++        char* dot = strrchr(d->d_name, '.');
++        if (!dot) {
++            continue;
++        }
++
++        if (strcmp(dot, pattern) == 0) {
++            /* Found a file with .jwk extension. */
++            if (snprintf(filepath, PATH_MAX, "%s/%s", targetdir, d->d_name) < 0) {
++                fprintf(stderr, "Unable to prepare variable with file full path (%s); skipping\n", d->d_name);
++                continue;
++            }
++            filepath[sizeof(filepath) - 1] = '\0';
++            ASSERT(stat(filepath, &st) == 0);
++
++            ASSERT_WITH_MSG(st.st_mode & (S_IRUSR | S_IRGRP), "key = %s, missing perm (0%o)", filepath, (S_IRUSR | S_IRGRP));
++            int unexpected_perms[] = {
++                S_ISUID, /* 04000 set-user-ID */
++                S_ISGID, /* 02000 set-group-ID */
++                S_IWUSR, /* 00200 write by owner */
++                S_IXUSR, /* 00100 execute/search by owner */
++                S_IWGRP, /* 00020 write by group */
++                S_IXGRP, /* 00010 execute/search by group */
++                S_IROTH, /* 00004 read by others */
++                S_IWOTH, /* 00002 write by others */
++                S_IXOTH, /* 00001 execute/search by others */
++                0
++            };
++            for (int i = 0; unexpected_perms[i] != 0; i++) {
++                ASSERT_WITH_MSG((st.st_mode & unexpected_perms[i]) == 0, "key = %s, i = %d, unexpected perm (0%o)", filepath, i, unexpected_perms[i]);
++            }
++
++        }
++    }
++    closedir(dir);
++}
++
+ static void
+ test_create_new_keys(void)
+ {
+@@ -40,6 +90,10 @@ test_create_new_keys(void)
+     __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info* tki = read_keys(newdir);
+     ASSERT(tki);
+     ASSERT(tki->m_keys_count == 2);
++
++    /* Make sure keys have proper permissions. */
++    verify_keys_permissions(newdir);
++
+     remove_tempdir(newdir);
+ }
+ 
+-- 
+2.31.1
+

0004-Specify-user-and-group-for-tang.patch

@@ -0,0 +1,147 @@
+From ab3b913cc74666dffe56d1f87f6f90653d8f4e70 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Sat, 2 Oct 2021 09:14:21 -0300
+Subject: [PATCH 4/4] Specify user and group for tang
+
+So that we can run tang itself with a different user.
+
+Systemd unit and helpers for rotating keys updated to use the
+new user and group.
+---
+ meson.build                                    |  2 ++
+ meson_options.txt                              |  2 ++
+ src/meson.build                                | 18 ++++++++++++++++--
+ src/{tangd-keygen => tangd-keygen.in}          | 11 +++++++++--
+ ...{tangd-rotate-keys => tangd-rotate-keys.in} |  9 ++++++++-
+ units/tangd@.service.in                        |  1 +
+ 6 files changed, 38 insertions(+), 5 deletions(-)
+ create mode 100644 meson_options.txt
+ rename src/{tangd-keygen => tangd-keygen.in} (85%)
+ rename src/{tangd-rotate-keys => tangd-rotate-keys.in} (92%)
+
+diff --git a/meson.build b/meson.build
+index 1733d47..7664e05 100644
+--- a/meson.build
++++ b/meson.build
+@@ -26,6 +26,8 @@ data.set('libexecdir', libexecdir)
+ data.set('sysconfdir', sysconfdir)
+ data.set('systemunitdir', systemunitdir)
+ data.set('jwkdir', jwkdir)
++data.set('user', get_option('user'))
++data.set('group', get_option('group'))
+ 
+ add_project_arguments(
+   '-D_POSIX_C_SOURCE=200809L',
+diff --git a/meson_options.txt b/meson_options.txt
+new file mode 100644
+index 0000000..9b1f7c6
+--- /dev/null
++++ b/meson_options.txt
+@@ -0,0 +1,2 @@
++option('user', type: 'string', value: 'tang', description: 'Unprivileged user for tang operations')
++option('group', type: 'string', value: 'tang', description: 'Unprivileged group for tang operations')
+diff --git a/src/meson.build b/src/meson.build
+index e7dc60c..f022775 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -7,8 +7,22 @@ tangd = executable('tangd',
+   install_dir: libexecdir
+ )
+ 
++tangd_keygen = configure_file(
++  input: 'tangd-keygen.in',
++  output: 'tangd-keygen',
++  configuration: data,
++  install: true,
++  install_dir: libexecdir
++)
++
++tangd_rotate_keys = configure_file(
++  input: 'tangd-rotate-keys.in',
++  output: 'tangd-rotate-keys',
++  configuration: data,
++  install: true,
++  install_dir: libexecdir
++)
++
+ bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
+-libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
+-libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys')
+ 
+ # vim:set ts=2 sw=2 et:
+diff --git a/src/tangd-keygen b/src/tangd-keygen.in
+similarity index 85%
+rename from src/tangd-keygen
+rename to src/tangd-keygen.in
+index ed51124..f74b86f 100755
+--- a/src/tangd-keygen
++++ b/src/tangd-keygen.in
+@@ -25,6 +25,13 @@ usage() {
+     exit 1
+ }
+ 
++set_perms() {
++    chmod 0440 -- "${1}"
++    if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
++        echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
++    fi
++}
++
+ [ $# -ne 1 ] && [ $# -ne 3 ] && usage
+ [ -d "$1" ] || usage
+ 
+@@ -34,10 +41,10 @@ THP_DEFAULT_HASH=S256     # SHA-256.
+ jwe=$(jose jwk gen -i '{"alg":"ES512"}')
+ [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+ echo "$jwe" > "$1/$sig.jwk"
+-chmod 0440 "$1/$sig.jwk"
++set_perms "$1/$sig.jwk"
+ 
+ 
+ jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
+ [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
+ echo "$jwe" > "$1/$exc.jwk"
+-chmod 0440 "$1/$exc.jwk"
++set_perms "$1/$exc.jwk"
+diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys.in
+similarity index 92%
+rename from src/tangd-rotate-keys
+rename to src/tangd-rotate-keys.in
+index 8649652..56b94ad 100755
+--- a/src/tangd-rotate-keys
++++ b/src/tangd-rotate-keys.in
+@@ -48,6 +48,13 @@ error() {
+     usage 1
+ }
+ 
++set_perms() {
++    chmod 0440 -- "${1}"
++    if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
++        echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
++    fi
++}
++
+ JWKDIR=
+ VERBOSE=
+ while getopts "hvd:" o; do
+@@ -78,7 +85,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
+         thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
+                                            -a "${DEFAULT_THP_HASH}")"
+         echo "${jwe}" > "${thp}.jwk"
+-        chmod 0440 "${thp}.jwk"
++        set_perms "${thp}.jwk"
+         log "Created new key ${thp}.jwk" "${VERBOSE}"
+     done
+ cd - >/dev/null
+diff --git a/units/tangd@.service.in b/units/tangd@.service.in
+index f1db261..aeb2dc1 100644
+--- a/units/tangd@.service.in
++++ b/units/tangd@.service.in
+@@ -6,3 +6,4 @@ StandardInput=socket
+ StandardOutput=socket
+ StandardError=journal
+ ExecStart=@libexecdir@/tangd @jwkdir@
++User=@user@
+-- 
+2.31.1
+

sources

@@ -1 +1 @@
-SHA512 (tang-7.tar.bz2) = dd4187fa6962523ac2a745ef05a27cdf7e5264c595942e63d406d67a1c595e87bd7e74091cb2e16362f369480cdf8e3b4bfe1fee13b9cb73d5308f42c52f138a
+SHA512 (tang-10.tar.xz) = 9bd438edb77e4f14372a19313abde342d1b111e99e6b2b3aa46714dc0807fc33c62f4c778f83b7c30d00e2c7e0c65724a3b2d3116478ff4e67a408e3faac09ce

tang.spec

@@ -1,13 +1,20 @@
 Name:           tang
-Version:        7
-Release:        7%{?dist}
+Version:        10
+Release:        3%{?dist}
 Summary:        Network Presence Binding Daemon
 
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
-Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
+Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+
+Patch0001: 0001-Fix-issues-reported-by-shellcheck.patch
+Patch0002: 0002-Fix-possible-NULL-pointer-dereference-in-find_by_thp.patch
+Patch0003: 0003-keys-make-sure-keys-are-created-with-0440-mode.patch
+Patch0004: 0004-Specify-user-and-group-for-tang.patch
 
 BuildRequires:  gcc
+BuildRequires:  meson
+BuildRequires:  git-core
 BuildRequires:  jose >= 8
 BuildRequires:  libjose-devel >= 8
 BuildRequires:  libjose-zlib-devel >= 8
@@ -23,6 +30,7 @@ BuildRequires:  curl
 BuildRequires:  asciidoc
 BuildRequires:  coreutils
 BuildRequires:  grep
+BuildRequires:  socat
 BuildRequires:  sed
 
 %{?systemd_requires}
@@ -37,27 +45,18 @@ Requires(pre):  shadow-utils
 Tang is a small daemon for binding data to the presence of a third party.
 
 %prep
-%setup -q
+%autosetup -S git
 
 %build
-%configure
-make %{?_smp_mflags} V=1
+%meson
+%meson_build
 
 %install
-rm -rf $RPM_BUILD_ROOT
-%make_install
-%{__sed} -i 's|DirectoryMode=0700||' $RPM_BUILD_ROOT/%{_unitdir}/%{name}d-update.path
-%{__sed} -i 's|MakeDirectory=true||' $RPM_BUILD_ROOT/%{_unitdir}/%{name}d-update.path
-echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d-update.service
-echo "User=%{name}" >> $RPM_BUILD_ROOT/%{_unitdir}/%{name}d@.service
-%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/cache/%{name}
+%meson_install
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name}
 
 %check
-if ! make %{?_smp_mflags} check; then
-    cat test-suite.log
-    false
-fi
+%meson_test
 
 %pre
 getent group %{name} >/dev/null || groupadd -r %{name}
@@ -68,39 +67,60 @@ exit 0
 
 %post
 %systemd_post %{name}d.socket
-%systemd_post %{name}d-update.path
-%systemd_post %{name}d-update.service
-%systemd_post %{name}d-keygen.service
+
+# Let's make sure any existing keys are readable only
+# by the owner/group.
+if [ -d /var/db/tang ]; then
+    for k in /var/db/tang/*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    for k in /var/db/tang/.*.jwk; do
+        test -e "${k}" || continue
+        chmod 0440 -- "${k}"
+    done
+    chown tang:tang -R /var/db/tang
+fi
 
 %preun
 %systemd_preun %{name}d.socket
-%systemd_preun %{name}d-update.path
-%systemd_preun %{name}d-update.service
-%systemd_preun %{name}d-keygen.service
 
 %postun
 %systemd_postun_with_restart %{name}d.socket
-%systemd_postun_with_restart %{name}d-update.path
-%systemd_postun_with_restart %{name}d-update.service
-%systemd_postun_with_restart %{name}d-keygen.service
 
 %files
 %license COPYING
-%attr(0750, %{name}, %{name}) %{_localstatedir}/cache/%{name}
-%attr(2570, %{name}, %{name}) %{_localstatedir}/db/%{name}
-%{_unitdir}/%{name}d-keygen.service
-%{_unitdir}/%{name}d-update.service
-%{_unitdir}/%{name}d-update.path
+%attr(0700, %{name}, %{name}) %{_localstatedir}/db/%{name}
 %{_unitdir}/%{name}d@.service
 %{_unitdir}/%{name}d.socket
 %{_libexecdir}/%{name}d-keygen
-%{_libexecdir}/%{name}d-update
+%{_libexecdir}/%{name}d-rotate-keys
 %{_libexecdir}/%{name}d
 %{_mandir}/man8/tang.8*
 %{_bindir}/%{name}-show-keys
 %{_mandir}/man1/tang-show-keys.1*
 
 %changelog
+* Mon Oct 04 2021 Sergio Arroutbi <sarroutb@redhat.com> - 10-3
+- Keys are created with 0440 mode
+  Resolves rhbz#2008204
+
+* Thu May 20 2021 Sergio Correia <scorreia@redhat.com> - 10-2
+- Fix issues reported by shellcheck and a possible NULL pointer
+  dereference reported by gcc static analyzer (3d770c6, 262d98f)
+
+* Wed May 05 2021 Sergio Correia <scorreia@redhat.com> - 10-1
+- New upstream release - v10.
+
+* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 8-1
+- Update to new tang upstream release, v8.
+
+* Tue Dec 1 2020 Sergio Correia <scorreia@redhat.com> - 7.8
+- Move build system to meson
+  Upstream commits (fed9020, 590de27)
+- Move key handling to tang itself
+  Upstream commits (6090505, c71df1d, 7119454)
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild